Advanced Windows PowerShell Scripting Video Training

Monday, July 30, 2012

Even though our domains are multimaster domains, not all functionality can be handled by each machine independently. For example, let’s take a look at the RID Master role.

And RID is what uniquely identifies all security objects in a domain. A security object is either a user, computer, group, or INetOrgPerson. Each of these objects have a Security Identifier (SID). A SID looks like this:

S-1-5-21-576790344-2948317706-4057815606-1702

To break this down:

S

The string is a SID

1

The revision level

5

The identifier value. Possible identifier authority values are:

0 – Null Authority

1 – World Authority

2 – Local Authority

3 – Creator Authority

4 – Non-unique Authority

5 – NT Authority

9 – Resource Manager Authroity

576790344-2948317706-4057815606

Domain or local computer identifier

Relative Identifier (RID). This is unque in the domain.

1702

Active Directory uses the SID to identify an object that can have security access assigned to it. You and I use the user name. the username name maps to a SID with the RID portion being unique in the domain. If two domain controller are handing our RIDs to new objects, there is a chance that two objects could get the same SID. This would allow the two different users to have the same access as the other one. With the RID Master being a single domain controller, this cannot happen.

The easiest way to discover the FSMO (Flexible Single Master Operation) roles was to use NETDOM Query FSMO.

If you need to discover these roles in a PowerShell script, this would be difficult as the information is returned as a string of text. To execute the below PowerShell commands, you must do this on a client or server with the ActiveDirectory module installed.

Friday, July 27, 2012

The GUI is good,but PowerShell is better. Many IT Pros in my classes are confused with why we are moving more and more to a text based administration. All I can say is “everything old is new again.”

Remember back in the day when we had the expensive main frame that was larger than most peoples living rooms? End users accessed it via terminals. We moved on to the Client/Server model when hardware began to shrink and became cheaper. Now we are moving to virtualized desktops and are accessing them from terminals. Well, the same thing is happening on the administrative side.

We used to do everything in a text when it came to network administration. With Windows NT 3.5, we started doing it graphically. This made management very intuitive. There are some limitations though. If I needed to find all user SIDs that ended in 4 and were both part of the Newark OU and also in both the Finance and HR security groups. If I find them, I need to change their address and add them to another group and do this search and change every week, well the GUI cannot do that. So, we need to know PowerShell to handle things like this.

Server 2012 is designed to allow you to manage multiple servers from one. Let’s say that I need to open a remote PowerShell session on another server. This is one way to do it:

Open PowerShell

Type Enter-PSSession –ComputerName Indy-SVR1

Noticed the command prompt has changed to let me know that I am not executing commands on Indy-SVR1.

Now try this.

Open Server Manager.

Right click the server that you want to open the remote PowerShell session on.

Click Windows PowerShell.

Take a look at the command prompt. You are remotely administering the remote server via PowerShell. if you selected multiple server in Server Manager and then did this procedure, you would open a remote PowerShell session on each one in a separate Shell.

Wednesday, July 25, 2012

Password Setting Object (PSO) is another name for Fine Grain Password Policies. These PSOs allowed us to set up a different password policy based on security group membership. For example, an employee who is working on a multi billion dollar drug might need to have more characters in their password and more frequent password changes than someone who does not handle critical company data. PSOs allow us to do that.

Up until now, PSOs were created with the ADSI Edit application or PowerShell. Now, we can use the Active Directory Administrative Center.

Open the Active Directory Administrative Center.

Change to Tree View.

Expand System

Click Password Settings Container

Right Click Password Settings Container and then select New –> Password Settings.

Here you can see all the settings that go into a PSO. A few items to point out.

Precedence

In the case of a conflict in which a user is a member of more than one group with different PSOs assigned to each group, the one with the Precedence number that is lower will be the effective PSO

Direct Applies To

If you do not any users or groups to the PSO it will not apply to anybody.

Another nice feature of the AD Administrative Center is that you can easily see the precedence values that have been used and which PSO is using them.

Monday, July 23, 2012

In Windows Server 2008 R2, We had a new, and very welcome feature added into our administrative tool bag. The Active Director Recycle Bin allowed us to bring back deleted objects from Active Directory without loosing any property of that object. Turning it on was an issue. Below is how you turn on the AD Recycle Bin in a 2008 R2 forest with a domain named. MCTNet.com.

Friday, July 20, 2012

When you first install Windows Server 2012, you will notice you are not asked for the name of the server during the installation. This is because a random name is generated. Take a look at the section of the server manager below. Make sure you click Local Server.

Notice the name. In this exercise we are going to change the name and join this server to the domain. In reality, this process has not changed much since Windows 2000.

Click on either the Computer name or the WORKGROUP name.

The System Properties windows that we are familiar with appears.

Click the Change button.

Provide the new name for this server and the name of the domain. Click OK.

Wednesday, July 18, 2012

Here is one that I had not thought of. I’m exploring some AD DS installation option for Server Core. While looking around, I discovered that I needed to update my Help files. No problem except you need to op PowerShell as an administrator. From the command prompt, start was something that I had not done. After some exploring I came up with this.

Monday, July 16, 2012

As we continue our march to Microsoft’s biggest redesign of the Windows user interface in over a decade, Windows 8, we need to be on the lookout for a few interface changes that may frustrate our users. Here is one. How to shut down Windows 8.

To shut down Windows 8, you need to access the Charm Bar. You can do this by moving your mouse to the upper or lower right. I’ve noticed that this is especially difficult in an RDP connection. Your other option is to press Window_Key + C.

Click Settings.

Inside the Settings charm, click Power and then Shut Down.

This may be something to include in your initial end user training for Windows 8. Users will more than likely be frustrated with this interface at first. Taking the time to demonstrate to your end users will greatly help in end user acceptable of Windows 8.

Wednesday, July 11, 2012

As I continue my transition of my physical servers from Windows Server 2008 R2 to Windows 2012, I’m taking note of the changes. Below is a screen shot of the message you get when Windows 2012 has a pending update.